Fix SARIF ingestion to surface skipped findings as warnings
What does this MR do and why?
Fixes SARIF ingestion to surface skipped findings as warnings instead of errors.
Previously, per-result skips (missing ruleId, nil UUID components, missing physical locations) were recorded as report errors. This caused StoreScanService to set the scan status to :report_error and skip storing all findings, even those that parsed successfully.
This MR reclassifies these per-result issues as warnings so partial-ingestion scans proceed normally and all valid findings are stored. It also adds a 'Ingestion' warning summarizing the total drop count when results are skipped.
Fatal errors (schema validation failures, unsupported version) remain as errors and continue to block ingestion as before.
How to set up and validate locally
- Create a SARIF report with mixed valid and invalid results (e.g., some missing
ruleIdorphysicalLocation) - Enable feature flag
::Feature.enable(:sarif_ingestion, project) - Ingest the report:
# .gitlab-ci.yml sarif_scan: script: pwd #no-op, just upload the report artifacts: reports: sarif: one_valid_and_two_invalid_results.sarif.json - Verify that:
- The valid finding is stored successfully
- Skipped results generate warnings (not errors)
- An 'Ingestion' warning shows the total drop count
- The scan status is not
:report_error
MR acceptance checklist
- Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related issues
Edited by Lucas Charles